|
Recognizing the productiv-ity gains, lower cost structure and convenience that wireless technology brings to a workplace, many businesses have deployed wireless local area networks (WLANs). Besides office settings, WLANs are also being deployed in warehouses, production bays, laboratories, in fact, anywhere where work is performed.
The value proposition of WLANs is especially attractive to small and medium-sized businesses (SMBs). WLANs are the most flexible, and most economical strategies for building or expanding networks. Wireless links eliminate cabling and permit users to access the network anywhere. Another reason why it becomes lucrative for SMBs is that many of them do not own their own premises and want to avoid having to write off fixed network infrastructure when they move. Most also do not have full-time staff to baby-sit their IT assets, let alone just the network.
 |
| WLAN infrastructure must be carefully planned, diligently implemented and sensibly managed |
Some SMBs, however, have the misconception that WLANs are less secure than the wired versions. While by their very nature of using radio frequency transmission, WLANs are somewhat inherently vulnerable; they can be made as secure as wired ones.
For wired networks, security for WLANs centers on:
Preventing unauthorized parties from connecting to the network to intercept, read, alter or steal sensitive personal and business information, or introduce harmful viruses and worms
- Stopping legitimate users from connecting to rogue (unauthorized) access points set up by unauthorized parties
- Making sure normal transmission is not interfered with
- Keeping out freeloaders intent on hijacking your network bandwidth for their own use
- Information abo-unds on the world wide web and in publications on how WLANs can be made secure. Unfortunately, some of these 'advices' are not quite sound and should be taken with multiple pinches of salt. Here are some examples:
Hide your SSID
Each WLAN has a unique name called the Service Set Identifier (SSID). All wireless devices (base stations, clients, etc) on a WLAN must use the same SSID in order to communicate with each other. Some network owners attempt to hide their SSIDs from intruders by suppressing its broadcast from access points and routers so their networks do not show up on a list of available networks. SSID, however, is broadcast over four other mechanisms, so this is akin to plugging one of five holes in a leaking ship.
Place antenna in center of work zone
Some 'experts' say one way to deny unauthorized parties from accessing your WLAN is to place the antenna in the middle of the area you want covered and adjust its power such that the signal does not leak out through walls and windows. Well, serious intruders almost always have bigger antennae than you. As for powering down, you may end up with a half-dead zone at the periphery of the area you wanted covered, which defeats the whole point of having a WLAN in the first place.
Use WEP
Wired equivalent privacy (WEP) is a standard method to encrypt traffic over a wireless network. There are, however, known weaknesses in how the encryption is implemented. So while WEP can stop casual sniffers like freeloaders, it provides little protection from serious attackers armed with readily available tools that can crack WEP keys in minutes.
Disable DHCP
Dynamic host configuration protocol (DHCP) is a protocol for automatically assigning IP addresses to devices on a network. This means that any wireless device that gets within range of your WLAN equipment may be able to acquire an IP address from your router and be accepted into the network – without your knowledge. Disabling DHCP, however, is inadequate protection as committed hackers can figure out your IP addressing scheme and assign themselves addresses to gain access to your network in minutes
| Getting Started |
- Change all default settings for SSID, administrative passwords and user passwords on routers, access points, and wireless cards. Default SSIDs and passwords are published by the manufacturers on the Internet and are meant to speed up installation, not provide security
- Choose an SSID that is difficult to guess. Do not use the boss' name or car registration number, office address, phone or fax number, or the company's name or initials
- Wi-Fi protected access is extremely complex and difficult to compromise. If your system has WPA and offers shared key encryption, enable it
- For businesses that have Microsoft active directory, Microsoft IAS or a Radius server, it is recommended that you enable 802.1x network login. This enables the wireless access point to check the user's credentials back with the server before allowing them access to the network
- If your access point or router came with a firewall, use it. If it did not, install a hardware firewall for the entire network and install software firewalls on every computer that connects to the WLAN
- Most access points have built in logging. Review the access logs on a regular basis and look for any abnormalities
- Ensure that employees do not access unacceptable web sites, which can result in costly legal and social liabilities. Improper web usage also squanders network bandwidth and undermines productivity. Enforcement of web usage policies can be outsourced, by subscribing to a content filtering service
|
Filter MAC addresses
Media access control (MAC) addresses - they have absolutely nothing to do with burgers - are essentially unique nametags for wireless adaptors. Filtering ensures that only pre-screened clients are allowed to connect to the network. The problem is MAC addresses are sent out in the clear, ie not encrypted, and a network attacker can easily spoof a valid address using a network interface card and protocol analyzer tools. The other downside: manually configuring every 'allowed' adaptor takes a lot of technical skill and man-hours resources.
The unsoundness of such 'advice', however well intended, may prompt businesses to ask if benefiting from the use of WLANs means having to compromise on security. The answer is no. Both can be attained if the WLAN infrastructure is carefully planned, diligently implemented and sensibly managed – like the business itself.
The author is Product Marketing Director - Asia Pacific of 3Com Corporation and can be contacted at Matthew_Walmsley@3com.com
|